198 Million Car-Buyer Records Exposed – Experts Comments

It has been reported that over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see. The non-password protected Elasticsearch database belonged to Dealer Leads, which is a company that gathers information on prospective buyers via a network of SEO-optimised, targeted websites.

According to the researcher, the websites all provide car-buying research information and classified ads for visitors. They collect this info and send it on to franchise and independent car dealerships to be used as sales leads. The exposed database in total contained 413GB of data. The information included records with names, email addresses, phone numbers, physical addresses, IP addresses and other sensitive or identifiable information exposed to the public internet in plain text.

This technology helps verify people and detect unusual online patterns based on the user’s behavior.

Data in the wrong hands – especially personal information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach. In addition, the exposed information in this database includes personally identifiable information such as name, last name, address, phone number – which can be used for identity theft. Passive biometrics and behavioral analytics, can help prevent the online use of this information, whether it is utilized for account takeover or for the creation of new accounts under the stolen identity. This technology helps verify people and detect unusual online patterns based on the user’s behavior. It also acts as a post-breach control, allowing online companies to block fraudulent transactions even if the cybercriminal has the right password or other credentials.

Following best practices such as network segmentation and the 'least privilege' model help prevent these kinds of leaks from occurring.

Data leaks are something that should definitely be taken seriously. Not only do they damage a brand's reputation, but they also hurt the privacy of their clients. The biggest lesson that can be taken away is that all personal information should be treated with the highest of concern. There should not be any circumstance where private information storage is exposed publicly. There is not any margin for error when it comes to this, since once a leak happens there is no going back.
Following best practices such as network segmentation and the 'least privilege' model help prevent these kinds of leaks from occurring. Network segmentation is highly important as it prevents high exposure of internal infrastructure. Furthermore, giving only users the least amount of necessary privileges to data access lessens the probability of a data leak.
Surprisingly, these heavily recommended practices are not followed commonly. A simple search on shodan.io will show a plethora of S3 buckets, and Database API Endpoints that are publicly accessible without any security restraints. This leak should serve as a reminder that network attached infrastructure should constantly be audited for best practices and recommended security configurations.

As such, all companies, even those with limited IT resources, must take full responsibility for securing user data.

There are tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases – meaning it doesn't take much effort for outsiders to find unsecured databases. That is one of the reasons why abusing misconfigurations has grown in popularity as an attack vector across all industries, along with the continued carelessness of companies when it comes to cybersecurity.
Vulnerabilities such as these can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. There is no excuse for negligent security practices such as leaving databases exposed. As such, all companies, even those with limited IT resources, must take full responsibility for securing user data and should turn to flexible, cost-effective solutions that can prevent data leakage. For example, cloud access security brokers that boast features like cloud security posture management, data loss prevention, user and entity behaviour analytics, and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.

Cloud services have made it incredibly easy, convenient, and cost-effective to store large amounts of data.

Not a week goes by without more companies exposing cloud-based data publicly. While on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have.
Cloud services have made it incredibly easy, convenient, and cost-effective to store large amounts of data, and with modern websites and apps, it is easy for companies to harvest more and more data from consumers than ever before. But just because it is possible to collect data on individuals, it doesn't mean that it should.
In fact, businesses should treat customer data in the same way as radioactive material should be treated - with great caution, using effective protection and only the amounts that are absolutely necessary.

The vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported.

The Dealer Leads breach is yet another reminder that this type of data exposure is far too commonplace, and a significant number of hacks this year have been a result of unsecured hosting. Today, consumers should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors.
This breach once again highlights the advantage adversaries have against defenders. The vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported, it doesn't take a lot of ingenuity or creativity for the adversary to stay one step ahead of defenders. This is yet another wake-up call to corporations, third party vendors and all defenders to improve their security hygiene, update security patches and provide security awareness training.

Those that choose to use cloud-based databases need to practice basic cyber hygiene.

Cloud storage misconfigurations exposing sensitive information online is becoming increasingly common demonstrating how some organisations are not taking security seriously enough. Those that choose to use cloud-based databases need to practice basic cyber hygiene when configuring and securing these systems.
Data protection and privacy are paramount in today’s security landscape, and businesses that do not implement appropriate safeguards risk falling foul of the law and losing customer trust.

This starts with following best practices for configuration, something that is widely available for each platform.

With the power of data analytics also comes great responsibility – unfortunately something that many organizations still fail to fully grasp, even after numerous breaches. This most recent breach at Dealer Leads is also evidence that unsecured or misconfigured NoSQL instances continue to be prevalent, as the virtual low-hanging fruit for cybercriminals. Instead of remaining sanguine, it’s time for organizations to face reality and act to secure their data. This starts with following best practices for configuration, something that is widely available for each platform, as well as implementing data-centric security to protect and de-identify data – something that is designed to be analytics friendly and strongly protects the data regardless of what it is stored in, who has possession of it, or whether the system or perimeter is compromised.